The answer to your question is *not* to build queries yourself.
Use whatever parametised query interfaces are available for your programming environment.
For example, if you are using ASP/ADO, then you can use ADO Command objects (and append parameters)
If you are using ASP.NET/ADO.NET then you have parametised query support (for inline queries, or stored procedures). Use the appropriate sqlCommand or OleDbCOmmand object.
If you are using something else, then consult the list.
This is a 100% fool proof way of avoiding SQL injection attack if you use it everywhere, because unless the API programmer made a mistake writing their SQL parser, you're not vulnerable. And my bet is that DBMS programmers write much better SQL parsers than most of us ever will.
Cheers
Ken
> -----Original Message-----
> From: thelist-bounces at lists.evolt.org [mailto:thelist-
>bounces at lists.evolt.org] On Behalf Of Todd Richards
> Sent: Thursday, 29 May 2008 10:02 AM
> To: thelist at lists.evolt.org> Subject: Re: [thelist] Website Hacked?
>> Hi Chris -
>> Thanks for the information. I actually had an article talking about
> SQL
> injections and it mentions using parameterized queries. I wasn't aware
> of
> that, so I will do some more research on how to rewrite my applications
> to
> do so (along with some better data cleansing). I understand the use of
> a
> parameter, but not quite sure how to implement it. But I have some
> books
> and the Internet to figure that out. My queries were being built as
>> Query = "select this from that where id = " & id
>> I was checking to see that it was being passed an integer, but
> obviously
> that wasn't enough. Someone else offered a start to how to clean the
> data
> first, so I will look at that as well.
>> The whitepaper that I was reading also mention that one of the ways an
> attacker figures out stuff is because bad attempts to hack may reveal
> database error messages from the server. What is a common way to avoid
> that? I tried a few hacks that it mentions and I don't get anything
> "valuable". So I don't know whether my site is or isn't vulnerable to
> that.
>> Todd
>> PS - Great cartoon - hits home too!!!